Forgotten Password is a three step TEWS call. With TEWS being protected by SM and the right security parameters set for SM in the web.xml, customer is noticing that only his first Forgotten Password TEWS call (to verify user identity) is successful and the subsequent TEWS call is coming back with a "401 Not Authorized" error on the client side. This document describes a way to work around this issue since the problem lies within Apache Axis and not the client side TEWS code or IDM.
Apache Axis 1.3 and 1.4 have a problem with the way they send cookie headers, they send them in the form of cookie:
The above format is not RFC compliant and Webservers reject all but the first cookie as they expect it to be in RFC compliant form:
cookie: cookie1=value; cookie2=value
There is a patch to the Axis clients, however it is a manual patch that requires recompiling Axis. The patch for Axis 1.4 is attached.